CVE-2024-43788

Name of the Vulnerable Software and Affected Versions Webpack versions prior to 5.94.0

Description A DOM Clobbering vulnerability has been discovered in Webpack's AutoPublicPathRuntimeModule. This vulnerability can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements are present. The DOM Clobbering gadget in the module can be exploited by an attacker who embeds a piece of non-script, seemingly benign HTML markups in the webpage and leverages the gadgets living in the existing JavaScript code to transform it into executable code. Real-world exploitation of this gadget has been observed in the Canvas LMS, which allows a XSS attack to happen through a JavaScript code compiled by Webpack. This issue can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes.

Recommendations To resolve the issue, upgrade to Webpack version 5.94.0 or later. As a temporary workaround, consider restricting access to the AutoPublicPathRuntimeModule until a patch is available. Additionally, ensure that all user-inputted HTML tags are properly sanitized to prevent XSS attacks. Avoid using the name attribute in the affected API endpoints until the issue is resolved.